Bug#988029: apache2: Non-unique IDs being generated by mod_unique_id - Fix available

Atle Solbakken Mon, 03 May 2021 14:33:24 -0700

Package: apache2
Version: 2.4.38-3+deb10u4
Severity: normal
Tags: patch

Hi


The current version has a race condition in mod_unique_id causing non-unique 
IDs to be
generated (multiple threads are using a counter without any mutex).

I've encountered the issue in a production situation myself.

There issue has been fixed upstream.

https://svn.apache.org/viewvc?view=revision&revision=1887244
https://svn.apache.org/viewvc?view=revision&revision=1887245

I've tried to compile the patch on top of the current stable version 2.0.38 
which seems
to work. Upstream, the patch is only available from 2.0.47 and it's currently 
in experimental.

Maybe it can be applied to 2.0.38 aswell.

Best regards
Atle Solbakken

-- Package-specific info:

-- System Information:
Debian Release: 10.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-13-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) (ignored: LC_ALL set to 
en_US.UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin    2.4.38-3+deb10u4
ii  apache2-data   2.4.38-3+deb10u4
ii  apache2-utils  2.4.38-3+deb10u4
ii  dpkg           1.19.7
ii  lsb-base       10.2019051400
ii  mime-support   3.62
ii  perl           5.28.1-6+deb10u1
ii  procps         2:3.3.15-2

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.39

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.6.5-1+b1
ii  libaprutil1              1.6.1-4
ii  libaprutil1-dbd-sqlite3  1.6.1-4
ii  libaprutil1-ldap         1.6.1-4
ii  libbrotli1               1.0.7-2+deb10u1
ii  libc6                    2.28-10
ii  libcurl4                 7.64.0-4+deb10u2
ii  libjansson4              2.12-1
ii  libldap-2.4-2            2.4.47+dfsg-3+deb10u6
ii  liblua5.2-0              5.2.4-1.1+b2
ii  libnghttp2-14            1.36.0-2+deb10u1
ii  libpcre3                 2:8.39-12
ii  libssl1.1                1.1.1d-0+deb10u6
ii  libxml2                  2.9.4+dfsg1-7+deb10u1
ii  perl                     5.28.1-6+deb10u1
ii  zlib1g                   1:1.2.11.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.38-3+deb10u4
ii  apache2-bin  2.4.38-3+deb10u4

-- no debconf information

Bug#988029: apache2: Non-unique IDs being generated by mod_unique_id - Fix available

Reply via email to